Apple and Security

This past few weeks Apple has been on the eye of several security experts (and by their comments, probably promoted by some antivirus vendors) which have prophesized this year to be the year of the Mac OS X Virus.

Three (if I remember correctly) proof-of-concept "viruses" have supposedly appeared. One is eight months old and has been patched (although, it was harmless, it had something to do with it's proliferation through Bluetooth). Another can disperse itself through iChat, although it couldn't do anything else. The last one, nevertheless, has caught my eye, because it can be very destructive and doesn't require user intervention.

It takes advantage of some features in several applications in Mac OS X to do it's job:

Safari has by default enabled an option that makes Safari execute any "safe" file when finished downloading. This includes zip or archive files, in case of which Safari also executes any "safe" files inside them.

The archive handler doesn't decide which application is the preferred one to open any of the files that it contains. Rather, it let's the file impose that decision. If the file doesn't have any application as a preferred one, the archive handler defaults it to the Terminal.

The way that Safari certifies a file as "safe" is by it's extension, not by the application that will open it (which would've been more reliable, in my opinion).

So imagine a guy (gals are less evil) writes a shell executable file that will erase all the files inside the home directory of a user (easy: write a text file that contains the line 'rm -r ~/*', without the quotes; that's it). He then changes the extension of that file to an inoffensive jpg by just renaming it. Later, archives it and uploads it to his website. Finally, he makes the website (via PHP or ASP) ask the browser to download his archived file (which can be done easily just going through the reference of any of these languages).

Now every Mac user that visits his webpage using Safari will NOT be asked to download this file: it will be done automatically, because Safari thinks it's safe. It will then be unarchived and the apparently inoffensive jpg file inside will also be executed. Being that it has no application linked to it, Terminal will take over. Terminal will see the line 'rm -r ~/*' and delete all the files in the users home directory. Because all the files are owned by the user, Terminal won't ask for any password or permission to do so, so the user doesn't have any chance to stop this from happenning when visiting the website.

Frankly: wow, my hat's off to the guy that came up with this. Anybody can wreak havoc on a Safari user now... well... except if the user disables the option to execute "safe" files when finished downloading or to move the Terminal application to another place other than the Applications folder, which is a very simple procedure to secure yourself. In other forums I advised many people to do this while we waited for the security update from Apple.

Microsoft always releases patches about once every month (even more so if we bring up the WMF vulnerability that showed up this past winter). Apple has already released the patch for this (and other stuff as well) for both the Panther and Tiger versions of Mac OS X (Jaguar and other older version apparently aren't affected, probably because Safari in these older versions doesn't automatically execute files when finished downloading). You can find the documentation of this security update here.

This 'bug' was brought to our attention around Feb. 20, 2006 (is impossible to really know when it was 'out there'). This security update, that does not only patch this vulnerability, but several others, was up for downloading Feb. 28, 2006 (officially, it was March 1, 2006). Also consider that a major security update (version 10.4.5) was given out Feb 14, 2006, so this wasn't a scheduled patch.